P
US10171478B2ActiveUtilityPatentIndex 76

Efficient and secure method and apparatus for firmware update

Assignee: FARADAY&FUTURE INCPriority: Jun 30, 2016Filed: Jun 30, 2017Granted: Jan 1, 2019
Est. expiryJun 30, 2036(~10 yrs left)· nominal 20-yr term from priority
Inventors:MCCAULEY PHILLIPFERNANDO JANA MAHENCOERPER NATHAN
G06F 8/65H04W 4/40H04L 63/0435H04L 63/0442H04L 63/045G06F 21/57H04L 9/3247H04L 67/34H04L 63/123H04L 63/0428H04L 9/0891H04L 2209/84
76
PatentIndex Score
8
Cited by
12
References
17
Claims

Abstract

This relates to a vehicle and, more particularly to, a vehicle configured to perform a secure firmware update. Some examples of the disclosure include receiving a firmware update package including updated firmware for one or more electronic control units (ECUs) of a vehicle. According to the disclosure, the firmware update package can be transmitted to and stored on an untrusted ECU and distributed to one or more target ECUs in a secure firmware update process monitored by a secure ECU.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
       1. A vehicle, comprising:
 an untrusted electronic control unit (ECU) comprising a receiver, a processor, and a memory, the receiver configured for receiving from a secure server a firmware update package including one or more firmware updates, and the memory of the untrusted ECU configured to store the firmware update package; 
 a secure ECU operatively coupled to the untrusted ECU, the secure ECU configured for authenticating the firmware update package; and 
 one or more target ECUs, each operatively coupled to the untrusted ECU and to the secure ECU, each respective target ECU comprising a bootloader configured for computing a checksum for a respective firmware update of the one or more firmware updates and signing the checksum with a unique key associated with the respective target ECU. 
 
     
     
       2. The vehicle of  claim 1 , wherein the firmware update package is encrypted with an asymmetric key and each of the one or more firmware updates is encrypted with the unique key corresponding to a respective target ECU of the one or more target ECUs. 
     
     
       3. The vehicle of  claim 1 , wherein the untrusted ECU is further configured for:
 decrypting the firmware update package; and 
 transmitting a signed update command to the secure ECU. 
 
     
     
       4. The vehicle of  claim 1 , wherein the secure ECU is configured for:
 receiving a signed update command from the untrusted ECU, the signed update command indicative of the received firmware update package; 
 authenticating the signed update command; and 
 in accordance with a determination that the signed update command is authentic, transmitting a signed distribution command to initiate a transmission of one or more firmware updates to one or more target ECUs. 
 
     
     
       5. The vehicle of  claim 4 , wherein the secure ECU is configured for:
 in accordance with a determination that the signed updated command is inauthentic, transmitting a signed erase command to the untrusted ECU to initiate an erasure of the firmware update package. 
 
     
     
       6. The vehicle of  claim 1 , wherein the secure ECU is configured for:
 receiving the signed checksum from one or more target ECUs; 
 verifying a signature of the signed checksum; 
 verifying a result of the signed checksum; and 
 in accordance with a determination that the signature is valid and the result is correct, transmitting one or more installation commands to the one or more target ECUs to install a respective firmware update corresponding to the signed checksum. 
 
     
     
       7. The vehicle of  claim 6 , wherein the secure ECU is configured for:
 in accordance with a determination that the signature is not valid or the result is incorrect, transmitting one or more erase commands to the one or more target ECUs to erase a respective firmware update corresponding to the signed checksum. 
 
     
     
       8. The vehicle of  claim 1 , wherein each unique key associated with each target ECU is a symmetric key. 
     
     
       9. A method for updating firmware at a vehicle, the method comprising:
 receiving, from a secure server, a firmware update package including one or more firmware updates; 
 storing the firmware update package at a memory of an untrusted electronic control unit (ECU); 
 authenticating, with a secure ECU, the firmware update package; 
 in accordance with a determination that the firmware update package is authentic:
 transmitting one or more firmware updates included in the firmware update package to one or more respective target ECUs; 
 computing, with a bootloader included in a target ECU of the one or more respective target ECUs, a checksum for a respective firmware update; and 
 signing, with the bootloader, the checksum using a unique key associated with the target ECU. 
 
 
     
     
       10. The method of  claim 9 , wherein the firmware update package is encrypted with an asymmetric key and each of the one or more firmware updates is encrypted with the unique key corresponding to the respective target ECU. 
     
     
       11. The method of  claim 9 , further comprising, at the untrusted ECU:
 decrypting the firmware update package; and 
 transmitting a signed update command to the secure ECU. 
 
     
     
       12. The method of  claim 9 , further comprising, at the secure ECU:
 receiving a signed update command from the untrusted ECU, the signed update command indicative of the received firmware update package; 
 authenticating the signed update command; and 
 in accordance with a determination that the signed update command is authentic, transmitting a signed distribution command to initiate a transmission of one or more firmware updates to one or more target ECUs. 
 
     
     
       13. The method of  claim 12 , further comprising, at the secure ECU:
 in accordance with a determination that the signed updated command is inauthentic, transmitting a signed erase command to the untrusted ECU to initiate an erasure of the firmware update package. 
 
     
     
       14. The method of  claim 9 , further comprising, at the secure ECU:
 receiving a signed checksum from one or more target ECUs; 
 verifying a signature of the signed checksum; 
 verifying a result of the signed checksum; and 
 in accordance with a determination that the signature is valid and the result is correct, transmitting one or more installation commands to the one or more target ECUs to install a respective firmware update corresponding to the signed checksum. 
 
     
     
       15. The method of  claim 14 , further comprising, at the secure ECU:
 in accordance with a determination that the signature is not valid or the result is incorrect, transmitting one or more erase commands to the one or more target ECUs to erase a respective firmware update corresponding to the signed checksum. 
 
     
     
       16. The method of  claim 9 , wherein each unique key associated with each target ECU is a symmetric key. 
     
     
       17. A non-transitory computer-readable medium including instructions, which when executed by one or more processors, cause the one or more processors to perform a method for updating firmware at a vehicle, the method comprising:
 receiving, from a secure server, a firmware update package including one or more firmware updates; 
 storing the firmware update package at a memory of an untrusted electronic control unit (ECU); 
 authenticating, with a secure ECU, the firmware update package; 
 in accordance with a determination that the firmware update package is authentic:
 transmitting one or more firmware updates included in the firmware update package to one or more respective target ECUs; 
 computing, with a bootloader included in a target ECU of the one or more respective target ECUs, a checksum for a respective firmware update; and 
 signing, with the bootloader, the checksum using a unique key associated with the target ECU.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.